Cross-Account Log Data Sharing with
Subscriptions

You can collaborate with an owner of a different AWS account and receive their log
events on your AWS resources, such as an Amazon Kinesis stream (this is known as cross-account
data sharing). For example, this log event data can be read from a centralized Amazon Kinesis
stream to perform custom processing and analysis. Custom processing is especially useful
when you collaborate and analyze data across many accounts. For example, a company's
information security group might want to analyze data for real-time intrusion detection
or anomalous behaviors so it could conduct an audit of accounts in all divisions in the
company by collecting their federated production logs for central processing. A
real-time stream of event data across those accounts can be assembled and delivered to
the information security groups who can use Amazon Kinesis to attach the data to their existing
security analytic systems.

Note

Cross-account subscriptions using AWS Lambda is not supported.

To share log data across accounts, you need to establish a log data sender and
receiver:

Log data sender—gets the destination information
from the recipient and lets CloudWatch Logs know that it is ready to send its log events
to the specified destination.

Log data recipient—sets up a destination that
encapsulates an Amazon Kinesis stream and lets CloudWatch Logs know that the recipient wants to
receive log data. The recipient then shares the information about his
destination with the sender.

To start receiving log events from cross-account users, the log data recipient first
creates a CloudWatch Logs destination. Each destination consists of the following key
elements:

Destination name

The name of the destination you want to create.

Target ARN

The Amazon Resource Name (ARN) of the AWS resource that you want to use as
the destination of the subscription feed.

Role ARN

An AWS Identity and Access Management (IAM) role that grants CloudWatch Logs the
necessary permissions to put data into the chosen Amazon Kinesis stream.

Access policy

An IAM policy document (in JSON format, written using IAM policy
grammar) that governs the set of users that are allowed to write to your
destination.